![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Suriya_Phosri_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Epic Games: Apple’s attempt to pause App Store antitrust order fails [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/epic-games-app-store.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Does the Galaxy Watch 8 ‘squircle’ design appeal to you? [Poll]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/galaxy-watch-8-classic-render-leak-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
Hackers Weaponized Free SSH Client Putty to Attack Windows Systems With Malware
A sophisticated malware campaign that exploits legitimate SSH clients, including both the popular PuTTY application and Windows’ built-in OpenSSH implementation, to establish persistent backdoors on compromised systems. The attack demonstrates how cybercriminals are increasingly leveraging trusted administrative tools to evade detection while maintaining unauthorized access to corporate networks. Malware Exploits OpenSSH in Windows The security […] The post Hackers Weaponized Free SSH Client Putty to Attack Windows Systems With Malware appeared first on Cyber Security News.
A sophisticated malware campaign that exploits legitimate SSH clients, including both the popular PuTTY application and Windows’ built-in OpenSSH implementation, to establish persistent backdoors on compromised systems.
The attack demonstrates how cybercriminals are increasingly leveraging trusted administrative tools to evade detection while maintaining unauthorized access to corporate networks.
Malware Exploits OpenSSH in Windows
The security community has long been aware of attackers distributing trojanized versions of PuTTY. This widely used free SSH client has served as an essential tool for system and network administrators for decades.
However, recent SANS researchers’ analysis reveals that threat actors have expanded their tactics to abuse Windows’ native OpenSSH client, which Microsoft integrated as a default component starting with Windows 10 version 1803.
The inclusion of OpenSSH in Windows represented a significant milestone for administrators who could finally execute SSH and SCP commands directly from the command prompt.
However, this convenience has inadvertently provided attackers with new opportunities, as SSH tools have been categorized as “Living Off the Land Binaries” (LOLBINs) – legitimate system tools that can be weaponized for malicious purposes.
This tool became a default Windows component with version 1803, making it an attractive target for threat actors seeking to blend malicious activities with legitimate system processes.
According to SANS Security researchers, a malicious sample uploaded to VirusTotal with the filename “dllhost.exe” (SHA256: b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b) achieved an 18/71 detection score, highlighting the challenge of identifying such attacks.
The malware specifically targets the Windows OpenSSH client located at “C:\Windows\System32\OpenSSH\ssh.exe” to implement a backdoor mechanism.
The attack sequence begins with the malware attempting to start an existing “SSHService” service on the compromised system. If this initial attempt fails, the malware reads a registry key at “SOFTWARE\SSHservice” to access a previously stored random port number. During the first execution, the malware generates a random port and saves it to the registry for future use.
The malware creates a sophisticated SSH configuration file that establishes communication with the attacker’s command-and-control (C2) infrastructure. The configuration file, stored at “c:\windows\temp\config,” contains specific parameters designed to maintain persistent access:
The configuration specifies the command-and-control server at IP address 193[.]187[.]174[.]3 using port 443, deliberately mimicking legitimate HTTPS traffic to avoid suspicion.
The SSH configuration includes several technical parameters designed to maintain persistent connectivity: ServerAliveInterval 60 and ServerAliveCountMax 15 ensure the connection remains active, while StrictHostKeyChecking no bypasses security verification procedures that might alert users to unauthorized connections.
The malware also implements a RemoteForward directive, although security researchers noted the configuration syntax contains errors that may impact functionality.
The backdoor operates through an infinite loop mechanism, performing extended sleep cycles between connection attempts.
This behavior pattern helps the malware evade behavioral analysis tools that monitor for rapid, repeated network connections.
Each iteration attempts to launch the legitimate ssh.exe process with the malicious configuration file, effectively turning Windows’ own security tool against the system.
Mitigations
This attack technique represents a growing trend of “Living off the Land” (LOLBIN) attacks, where legitimate system binaries are weaponized for malicious purposes.
The abuse of OpenSSH is particularly concerning given its widespread deployment across Windows environments and its legitimate use by system administrators for remote management tasks.
Security teams should implement comprehensive monitoring for SSH-related activities, particularly focusing on unusual configuration files, unexpected network connections to external SSH servers, and registry modifications related to SSH services.
Organizations should also consider implementing application whitelisting and behavioral monitoring solutions capable of detecting legitimate tools being used in malicious contexts.
The incident underscores the importance of monitoring native Windows tools that possess network communication capabilities, as attackers continue to exploit the inherent trust placed in these legitimate system components to maintain persistent access while evading traditional security controls.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
The post Hackers Weaponized Free SSH Client Putty to Attack Windows Systems With Malware appeared first on Cyber Security News.
